Imagine an intruder found his way into your VoIP network undetected and began listening to any conversation he chose, extracting sensitive information, company secrets or even details he could use to blackmail your CEO.

Last month, a company called Internet Security Systems (ISS) issued an alert to warn users that Cisco's VoIP offering had a security flaw that would allow just that. According to the company, this implementation flaw in Cisco's Call Manager, which handles call signaling and routing, could allow a buffer overflow that would grant an intruder access to the system to listen in on all calls routed through it.

This is one scenario described by ISS and other vendors focused on selling technology to plug the security holes in VoIP, a method for sending voice traffic over IP that many say was not designed with security in mind. ISS and its competitors, which come to this new field largely from the VoIP management and IP security markets, forecast big risks for companies that don't take VoIP security seriously, and undoubtedly look forward to formidable revenue streams generated by those that do.

Growing pains

VoIP "is going to have growing pains when it comes to security," says Neel Mehta, team lead with ISS's X-Force research and development group. "It's still an emerging threat, but one we take very seriously."

This group of vendors, which includes BorderWare, Secure Logix and NFR, urges the use of such security appliances as firewalls that are specifically designed to filter VoIP traffic for suspicious patterns and drop those connections.

Yet it's difficult to find a company that has suffered at the hands of VoIP abusers, be they spammers clogging voice mail boxes with unwanted messages, intruders listening to phone conversations or scammers masking their true identity. So far, the threats appear to be largely hypothetical.

"I don't think there's a whole lot of real threats right now," says Irwin Lazar, senior analyst with Burton Group. "VoIP is still pretty much a closed system; almost no company exposes their VoIP system to the Internet." However, once that changes and companies start publicizing their SIP addresses used in VoIP communications on business cards and Web sites, security will become essential, he says.